diff options
author | Varun Ravichandran <varun.ravichandran@mongodb.com> | 2022-08-23 15:21:32 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2022-09-20 20:53:22 +0000 |
commit | ae3b498a0a4316fced5abd04d5218e10b54d13a5 (patch) | |
tree | 7d6cbdb1985c17b90862b162bcdd4466860ada59 | |
parent | 0d202a5f19efc5bca4926b76cd216d05f57cdff4 (diff) | |
download | mongo-ae3b498a0a4316fced5abd04d5218e10b54d13a5.tar.gz |
Revert "SERVER-67660 Add JWKManager"
This reverts commit 338cdd44e47e18ec40fae28d41de2d3822c28136.
(cherry picked from commit ba91e172b1ab0430b8bc72720b510d595069968d)
-rw-r--r-- | src/mongo/crypto/SConscript | 27 | ||||
-rw-r--r-- | src/mongo/crypto/jwk_manager.cpp | 92 | ||||
-rw-r--r-- | src/mongo/crypto/jwk_manager.h | 52 | ||||
-rw-r--r-- | src/mongo/crypto/jwt_test.cpp | 85 | ||||
-rw-r--r-- | src/mongo/crypto/jwt_types.idl | 64 | ||||
-rw-r--r-- | src/mongo/crypto/rsa_public_key.cpp | 28 | ||||
-rw-r--r-- | src/mongo/crypto/rsa_public_key.h | 18 | ||||
-rw-r--r-- | src/mongo/crypto/rsa_public_key_test.cpp | 5 |
8 files changed, 17 insertions, 354 deletions
diff --git a/src/mongo/crypto/SConscript b/src/mongo/crypto/SConscript index 86e457a0f40..af457d27050 100644 --- a/src/mongo/crypto/SConscript +++ b/src/mongo/crypto/SConscript @@ -156,30 +156,3 @@ env.CppUnitTest( 'sha_block_${MONGO_CRYPTO}', ], ) - -env.Library( - target='jwt', - source=[ - 'jwt_types.idl', - 'jwk_manager.cpp', - ], - LIBDEPS=[ - '$BUILD_DIR/mongo/base', - ], - LIBDEPS_PRIVATE=[ - '$BUILD_DIR/mongo/idl/idl_parser', - 'rsa_public_key', - ], -) - -env.CppUnitTest( - target='jwt_test', - source=[ - 'jwt_test.cpp', - ], - LIBDEPS=[ - '$BUILD_DIR/mongo/base', - 'jwt', - 'rsa_public_key', - ], -) diff --git a/src/mongo/crypto/jwk_manager.cpp b/src/mongo/crypto/jwk_manager.cpp deleted file mode 100644 index f93648f640c..00000000000 --- a/src/mongo/crypto/jwk_manager.cpp +++ /dev/null @@ -1,92 +0,0 @@ -/** - * Copyright (C) 2022-present MongoDB, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the Server Side Public License, version 1, - * as published by MongoDB, Inc. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * Server Side Public License for more details. - * - * You should have received a copy of the Server Side Public License - * along with this program. If not, see - * <http://www.mongodb.com/licensing/server-side-public-license>. - * - * As a special exception, the copyright holders give permission to link the - * code of portions of this program with the OpenSSL library under certain - * conditions as described in each individual source file and distribute - * linked combinations including the program with the OpenSSL library. You - * must comply with the Server Side Public License in all respects for - * all of the code used other than as permitted herein. If you modify file(s) - * with this exception, you may extend this exception to your version of the - * file(s), but you are not obligated to do so. If you do not wish to do so, - * delete this exception statement from your version. If you delete this - * exception statement from all source files in the program, then also delete - * it in the license file. - */ - -#include "mongo/crypto/jwk_manager.h" - -#include "mongo/bson/json.h" -#include "mongo/crypto/jwt_types_gen.h" -#include "mongo/logv2/log.h" -#include "mongo/util/base64.h" - -#define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kAccessControl - -namespace mongo::crypto { -namespace { -constexpr auto kMinKeySizeBytes = 512 >> 3; - -// Strip insignificant leading zeroes to determine the key's true size. -StringData reduceInt(StringData value) { - std::size_t ofs = 0; - while ((ofs < value.size()) && (value[ofs] == 0)) { - ++ofs; - } - return value.substr(ofs); -} - -} // namespace - -JWKManager::JWKManager(BSONObj data) { - auto keys = JWKSet::parse(IDLParserContext{"JWKSet"}, data); - for (const auto& key : keys.getKeys()) { - uassert(ErrorCodes::BadValue, - str::stream() << "Only RSA key types are accepted at this time", - key.getType() == "RSA"_sd); - uassert(ErrorCodes::BadValue, "Key ID must be non-empty", !key.getKeyId().empty()); - - // Sanity check so that we don't load a dangerously small key. - auto N = reduceInt(key.getN()); - uassert(ErrorCodes::BadValue, - str::stream() << "Key scale is smaller (" << (N.size() << 3) - << " bits) than minimum required: " << (kMinKeySizeBytes << 3), - N.size() >= kMinKeySizeBytes); - - // Sanity check so that we don't load an insensible encrypt component. - auto E = reduceInt(key.getE()); - uassert(ErrorCodes::BadValue, - str::stream() << "Public key component invalid: " << base64url::encode(key.getE()), - (E.size() > 1) || ((E.size() == 1) && (E[0] >= 3))); - - auto keyId = key.getKeyId().toString(); - uassert(ErrorCodes::DuplicateKey, - str::stream() << "Key IDs must be unique, duplicate '" << keyId << "'", - _keys.find(keyId) == _keys.end()); - - LOGV2_DEBUG(6766000, 5, "Loaded JWK Key", "kid"_attr = key.getKeyId()); - _keys.insert({keyId, {key.getKeyId(), {E.rawData(), E.size()}, {N.rawData(), N.size()}}}); - } -} - -const RsaPublicKey& JWKManager::getKey(StringData keyId) const { - auto it = _keys.find(keyId.toString()); - uassert( - ErrorCodes::NoSuchKey, str::stream() << "Unknown key '" << keyId << "'", it != _keys.end()); - return it->second; -} - -} // namespace mongo::crypto diff --git a/src/mongo/crypto/jwk_manager.h b/src/mongo/crypto/jwk_manager.h deleted file mode 100644 index d44f924314c..00000000000 --- a/src/mongo/crypto/jwk_manager.h +++ /dev/null @@ -1,52 +0,0 @@ -/** - * Copyright (C) 2022-present MongoDB, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the Server Side Public License, version 1, - * as published by MongoDB, Inc. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * Server Side Public License for more details. - * - * You should have received a copy of the Server Side Public License - * along with this program. If not, see - * <http://www.mongodb.com/licensing/server-side-public-license>. - * - * As a special exception, the copyright holders give permission to link the - * code of portions of this program with the OpenSSL library under certain - * conditions as described in each individual source file and distribute - * linked combinations including the program with the OpenSSL library. You - * must comply with the Server Side Public License in all respects for - * all of the code used other than as permitted herein. If you modify file(s) - * with this exception, you may extend this exception to your version of the - * file(s), but you are not obligated to do so. If you do not wish to do so, - * delete this exception statement from your version. If you delete this - * exception statement from all source files in the program, then also delete - * it in the license file. - */ - -#pragma once - -#include <map> -#include <string> - -#include "mongo/base/string_data.h" -#include "mongo/bson/bsonobj.h" -#include "mongo/crypto/rsa_public_key.h" - -namespace mongo::crypto { - -class JWKManager { -public: - JWKManager() = default; - explicit JWKManager(BSONObj data); - - const RsaPublicKey& getKey(StringData keyId) const; - -private: - std::map<std::string, RsaPublicKey> _keys; -}; - -} // namespace mongo::crypto diff --git a/src/mongo/crypto/jwt_test.cpp b/src/mongo/crypto/jwt_test.cpp deleted file mode 100644 index 7de9b048c47..00000000000 --- a/src/mongo/crypto/jwt_test.cpp +++ /dev/null @@ -1,85 +0,0 @@ -/** - * Copyright (C) 2022-present MongoDB, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the Server Side Public License, version 1, - * as published by MongoDB, Inc. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * Server Side Public License for more details. - * - * You should have received a copy of the Server Side Public License - * along with this program. If not, see - * <http://www.mongodb.com/licensing/server-side-public-license>. - * - * As a special exception, the copyright holders give permission to link the - * code of portions of this program with the OpenSSL library under certain - * conditions as described in each individual source file and distribute - * linked combinations including the program with the OpenSSL library. You - * must comply with the Server Side Public License in all respects for - * all of the code used other than as permitted herein. If you modify file(s) - * with this exception, you may extend this exception to your version of the - * file(s), but you are not obligated to do so. If you do not wish to do so, - * delete this exception statement from your version. If you delete this - * exception statement from all source files in the program, then also delete - * it in the license file. - */ - -#include "mongo/platform/basic.h" - -#include "mongo/crypto/jwk_manager.h" -#include "mongo/unittest/unittest.h" -#include "mongo/util/assert_util.h" - -namespace mongo::crypto { -namespace { - -// Test key source: RFC 7515 "JSON Web Key" Appendix B. -constexpr auto k512BitKeyE = "AQAB"_sd; -constexpr auto k512BitKeyN = - "vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08PLbK_PdiVGKPrqzmDIsL" - "I7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Qu2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7i" - "I7w0LK9orSMhBEwwZDCxTWq4aYWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy" - "1wgzjYQDwHMTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMvVfJb6" - "jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ"_sd; - -BSONObj getTestJWKSet(StringData e, StringData n) { - BSONObjBuilder set; - BSONArrayBuilder keys(set.subarrayStart("keys"_sd)); - - { - BSONObjBuilder key(keys.subobjStart()); - key.append("kty", "RSA"); - key.append("kid", "numberOneKey"); - key.append("e", e); - key.append("n", n); - key.doneFast(); - } - - keys.doneFast(); - return set.obj(); -} - -TEST(JWKManager, parseJWKSetBasic) { - // Parse the test JWKSet and pull out numberOneKey, then compare it to the inputs. - auto basic = getTestJWKSet(k512BitKeyE, k512BitKeyN); - JWKManager manager(basic); - auto key = manager.getKey("numberOneKey"); - - ASSERT_BSONOBJ_EQ(key.toBSON(), basic["keys"_sd].Obj()[0].Obj()); -} - -TEST(JWKManager, parseJWKSetEmptyComponents) { - auto emptyE = getTestJWKSet("", k512BitKeyN); - ASSERT_THROWS_WHAT(JWKManager(emptyE), DBException, "Public key component invalid: "); - - auto emptyN = getTestJWKSet(k512BitKeyE, ""); - ASSERT_THROWS_WHAT(JWKManager(emptyN), - DBException, - "Key scale is smaller (0 bits) than minimum required: 512"); -} - -} // namespace -} // namespace mongo::crypto diff --git a/src/mongo/crypto/jwt_types.idl b/src/mongo/crypto/jwt_types.idl deleted file mode 100644 index 3337fe7b455..00000000000 --- a/src/mongo/crypto/jwt_types.idl +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright (C) 2022-present MongoDB, Inc. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the Server Side Public License, version 1, -# as published by MongoDB, Inc. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# Server Side Public License for more details. -# -# You should have received a copy of the Server Side Public License -# along with this program. If not, see -# <http://www.mongodb.com/licensing/server-side-public-license>. -# -# As a special exception, the copyright holders give permission to link the -# code of portions of this program with the OpenSSL library under certain -# conditions as described in each individual source file and distribute -# linked combinations including the program with the OpenSSL library. You -# must comply with the Server Side Public License in all respects for -# all of the code used other than as permitted herein. If you modify file(s) -# with this exception, you may extend this exception to your version of the -# file(s), but you are not obligated to do so. If you do not wish to do so, -# delete this exception statement from your version. If you delete this -# exception statement from all source files in the program, then also delete -# it in the license file. - -global: - cpp_namespace: "mongo::crypto" - -imports: - - "mongo/idl/basic_types.idl" - -structs: - JWK: - # RFC 7515 Section 4 - description: JSON Web Key - fields: - kty: - description: Key type - type: string - cpp_name: type - kid: - description: Unique Key ID - type: string - cpp_name: keyId - - # RSA specific fields - n: - description: Modulus of the RSA Key - type: base64urlstring - e: - description: Public key component of the RSA Key - type: base64urlstring - - JWKSet: - # RFC 7517 Section 5 - description: A set of JSON Web Keys - fields: - keys: - description: The JWK objects - type: array<JWK> - - diff --git a/src/mongo/crypto/rsa_public_key.cpp b/src/mongo/crypto/rsa_public_key.cpp index 5e63377bea7..76390e44606 100644 --- a/src/mongo/crypto/rsa_public_key.cpp +++ b/src/mongo/crypto/rsa_public_key.cpp @@ -28,24 +28,22 @@ */ #include "mongo/crypto/rsa_public_key.h" -#include "mongo/crypto/jwt_types_gen.h" + +#include <iterator> + +#include "fmt/format.h" +#include "mongo/base/string_data.h" #include "mongo/util/base64.h" namespace mongo::crypto { -namespace { -std::vector<std::uint8_t> vectorFromCDR(ConstDataRange cdr) { - return {cdr.data(), cdr.data() + cdr.length()}; -} -} // namespace -RsaPublicKey::RsaPublicKey(StringData keyId, ConstDataRange e, ConstDataRange n) - : _keyId(keyId.toString()), _e(vectorFromCDR(e)), _n(vectorFromCDR(n)) {} - -void RsaPublicKey::appendToBSON(BSONObjBuilder* builder) const { - builder->append(JWK::kTypeFieldName, "RSA"_sd); - builder->append(JWK::kKeyIdFieldName, _keyId); - builder->append(JWK::kEFieldName, base64url::encode(_e.data(), _e.size())); - builder->append(JWK::kNFieldName, base64url::encode(_n.data(), _n.size())); +RsaPublicKey::RsaPublicKey(StringData keyId, StringData e, StringData n) + : _keyId(keyId.toString()) { + fmt::memory_buffer eBuffer; + base64url::decode(eBuffer, e); + std::copy(eBuffer.begin(), eBuffer.end(), std::back_inserter(_e)); + fmt::memory_buffer nBuffer; + base64url::decode(nBuffer, n); + std::copy(nBuffer.begin(), nBuffer.end(), std::back_inserter(_n)); } - } // namespace mongo::crypto diff --git a/src/mongo/crypto/rsa_public_key.h b/src/mongo/crypto/rsa_public_key.h index ea8d78f3a24..e5773d2af33 100644 --- a/src/mongo/crypto/rsa_public_key.h +++ b/src/mongo/crypto/rsa_public_key.h @@ -29,16 +29,11 @@ #pragma once -#include <string> -#include <vector> - #include "mongo/base/data_range.h" #include "mongo/base/string_data.h" -#include "mongo/bson/bsonobj.h" -#include "mongo/bson/bsonobjbuilder.h" +#include "mongo/util/base64.h" namespace mongo::crypto { - /** * Provides an interface for managing parameters to an RSA signing operation. * Note that this key contains public material only, and is not suitable for decryption. @@ -50,7 +45,7 @@ public: * The RSA operation parameters of {E} and {N} must be passed as Base64URL encoded values (RFC * 4648 ยง5). */ - RsaPublicKey(StringData keyId, ConstDataRange e, ConstDataRange n); + RsaPublicKey(StringData keyId, StringData e, StringData n); std::size_t getKeySizeBytes() const { return _n.size(); } @@ -67,17 +62,10 @@ public: return _keyId; } - void appendToBSON(BSONObjBuilder* builder) const; - BSONObj toBSON() const { - BSONObjBuilder builder; - appendToBSON(&builder); - return builder.obj(); - } - private: - std::string _keyId; std::vector<std::uint8_t> _e; std::vector<std::uint8_t> _n; + std::string _keyId; }; } // namespace mongo::crypto diff --git a/src/mongo/crypto/rsa_public_key_test.cpp b/src/mongo/crypto/rsa_public_key_test.cpp index 72aaf3a41cc..8b61773c037 100644 --- a/src/mongo/crypto/rsa_public_key_test.cpp +++ b/src/mongo/crypto/rsa_public_key_test.cpp @@ -47,10 +47,7 @@ TEST(RSAPublickKeyTest, rsaKeyDecode) { "wjUu3HKsKPdIPqjf6zdrgv8W3OySt-QSFVBy_OQXraZ2wA7gJPyPmNhBr8L9M3AYRS_" "E1XRpsldMSrIe8bfxGyP2B9txiUQXIycWLC-e172SPjAjdUyaK3YLqGRtki6EgQ3qlzRPjoQheE-" "r3l62UaaAgHOo6FercdjdsIzT2-vhqZMQk59WhGuvygymiLw"_sd; - - auto eStr = base64url::decode(e); - auto nStr = base64url::decode(n); - RsaPublicKey key(keyID, {eStr.c_str(), eStr.size()}, {nStr.c_str(), nStr.size()}); + RsaPublicKey key(keyID, e, n); std::string strE; strE.assign(key.getE().data(), key.getE().length()); |